Detecting anomalies using real-time controller processing activity

ABSTRACT

Disclosed embodiments relate to identifying Electronic Control Unit (ECU) anomalies in a vehicle. Operations may include monitoring data representing real-time processing activity of the ECU; receiving comparable data relating to processing activity of at least one other ECU deemed comparable in functionality to the ECU; comparing the real-time processing activity data with the comparable data, to identify at least one anomaly in the real-time processing activity of the ECU; and implementing a control action for the ECU when the at least one anomaly is identified.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/044,405, filed on Jul. 24, 2018, currently pending, which claimspriority to U.S. Provisional Patent App. No. 62/536,767, filed on Jul.25, 2017, and U.S. Provisional Patent App. No. 62/560,224, filed on Sep.19, 2017. The disclosures of the above-referenced applications areexpressly incorporated herein by reference in their entireties.

BACKGROUND

Modern vehicles utilize many Electronic Control Units (ECUs) to controloperations of components such as engines, powertrains, transmissions,brakes, suspensions, onboard entertainment systems, communicationsystems, and the like. ECUs control basic operations of modern vehicles,from power steering to breaking to acceleration. In addition, ECUscontrol numerous add-on and analytical features in vehicles. Forexample, some cars may be equipped with ECUs configured to collect andanalyze driving data, which may be provided to insurance companies todetermine insurance premiums. Some cars may be equipped with ECUsconfigured to enhance the driving experience, and some may be equippedwith ECUs configured to provide advanced (or automated) drivingassistance.

As ECUs continue to increase in complexity and sophistication, managingsoftware performance, upgrades, and bug fixes on ECUs is becoming achallenge. Currently, there are roughly 60 to 70 ECUs in an average car(and roughly 180 ECUs in a luxury car). These ECUs correspond to tens ofmillions of lines of code. Maintaining the code is becoming increasinglydifficult. Moreover, highly sophisticated software tends to be moreprone to vulnerabilities such as software bugs, glitches, andcalibration problems. Manufacturers or developers of ECUs may wish topromptly fix these vulnerabilities as soon as they are discovered.

A further type of vulnerability in ECUs relates to ECU errors or faults.An ECU error may be, for example, a runtime error, stack overflow, stackunderflow, etc. An ECU fault may be, for example, a deviation in thenormal or expected operation of an ECU (e.g., performing a function acertain number of times per time interval, but then “drifting” toperform the function a different number of times, either suddenly orslowly over time). Slowly implemented drifting in the execution of ECUsoftware can be a particularly difficult problem, since it is hard toimmediately detect given the lack of any obvious signs of changes to theECU's operation.

One approach to address these vulnerabilities in affected vehicles is toissue a recall. However, recalls can be time-consuming, and they do notprovide any assurance that the affected vehicles will be fixed in atimely manner. Alternatively, manufacturers or developers may attempt toprovide fixes to the affected vehicles through on-board diagnostic (OBD)ports or over-the-air (e.g., using various types of wirelesscommunication techniques). Nevertheless, OBD ports are themselves attacksurfaces for vehicles, and over-the-air fixes are typically inefficient,inconvenient to the vehicle owner, and prone to introduce yet additionalbugs.

Moreover, current attempts of OBD and over-the-air update techniquesstill have limitations in terms of time and space efficiency. Forexample, current attempts of over-the-air-update techniques require themanufacturer to distribute a new version of the entire ECU software as areplacement package to the affected vehicles. When the replacementpackage is received by an affected vehicle, the affected vehicle isrequired to store the replacement package into a spare memory space(i.e., a memory space not used by the ECU), erase the current version ofthe ECU software from the memory space used by the ECU, copy thereplacement package from the spare memory space into the memory spaceused by the ECU, and restart the ECU so it can load the new version ofthe ECU software. This is virtually impossible in ECUs, due tosignificant storage space limitations and the interruption to thefunctioning of the ECU. ECUs are nearly full with existing software anddata already, and have very limited available storage space for newsoftware or data. Further, there are significant cost limitationsassociated with providing new software to ECUs. Moreover, interruptingthe processing flow of an ECU can be inconvenient or very dangerous,depending on the role of the ECU and the conditions of the vehicle.

There is thus a need for technological solutions to generate, receive,and process update packages for updating software on ECUs without theaforementioned shortcomings. In particular, there is a need forsolutions for updating a vehicle with differential software, rather thanan entire software module or package, over the air and without adedicated client on an ECU. Further, solutions should not have arequirement of significant additional memory usage, or any downtime ofthe ECU itself. In addition, such solutions should not requirereprogramming the memory of the ECU. Further, such solutions shouldallow for rolling back the software version on an ECU to a prior versionwithout the need to download an entire software module, withoutreprogramming the memory (which can be expensive, time-consuming, anddisruptive), and again without significant memory requirements or anydowntime of the ECU.

There is also a need for technological solutions to generate data forabnormality detection that will not consume large amounts of datathroughput to store or to transmit. Such techniques should provide leanexecution performance to keep the main application on an ECU running,with all its resources it needs, and without additional requiredresources. It would further be advantageous to utilize a distributedvehicle architecture solution that sends only calls for action (e.g.,based on anomaly detection through machine learning) to a control centeror server for performing responsive actions.

Further, there is a need for technological solutions for the problemsthat arise based on dependencies between ECUs in vehicles. For example,when the software on one ECU is updated, it may cause the ECU to beunable to communicate with other ECUs in the vehicle. This may occur,for example, when the update to the ECU affects its network address,incoming or outgoing communications policies, format or payload of datacommunications, timing of communications, protocol of communications, orvarious other attributes of its functionality. It would be advantageous,therefore, to be able to manage the dependencies between ECUs so thatsoftware updates to ECUs can be coordinated and performed on all ECUsthat may be impacted by an update.

SUMMARY

The disclosed embodiments describe non-transitory computer readablemedia and methods for identifying Electronic Control Unit (ECU)anomalies in a vehicle. For example, in an exemplary embodiment, theremay be a non-transitory computer readable medium including instructionsthat, when executed by at least one processor, cause the at least oneprocessor to perform operations for identifying ECU anomalies in avehicle. The operations may comprise: monitoring data representingreal-time processing activity of the ECU; receiving comparable datarelating to processing activity of at least one other ECU deemedcomparable in functionality to the ECU; comparing the real-timeprocessing activity data with the comparable data, to identify at leastone anomaly in the real-time processing activity of the ECU; andimplementing a control action for the ECU when the at least one anomalyis identified.

According to a disclosed embodiment, the control action includes issuinga prompt to adjust the ECU from executing a first version of ECUsoftware to a second version of ECU software.

According to a disclosed embodiment, software on the ECU is mapped to aplurality of functional units, and the ECU is configured to utilize avirtual file system (VFS) to manage and track one or more versions ofeach of the plurality of functional units.

According to a disclosed embodiment, adjusting the ECU from executingthe first version of ECU software to the second version of ECU softwarecomprises: updating memory addresses of one or more functional unitsmanaged by the VFS based on a delta file corresponding to the secondversion of ECU software.

According to a disclosed embodiment, the comparable data comprises dataobtained in real-time relating to processing activity of a plurality ofother ECUs deemed comparable to the ECU.

According to a disclosed embodiment, the comparable data comprises datapreviously gathered relating to processing activity of a plurality ofother ECUs deemed comparable to the ECU.

According to a disclosed embodiment, receiving the comparable datafurther comprises: obtaining the comparable data based on rulesassociated with ECU software running on the ECU.

According to a disclosed embodiment, receiving the comparable datafurther comprises: obtaining the comparable data based on known validsequences of execution of ECU software running on the ECU.

According to a disclosed embodiment, receiving the comparable datafurther comprises: obtaining the comparable data based on knownpotentially malicious sequences of execution of ECU software running onthe ECU.

According to a disclosed embodiment, receiving the comparable datafurther comprises: obtaining the comparable data based on a map fileassociated with ECU software on the ECU.

According to a disclosed embodiment, receiving the comparable datafurther comprises: receiving observational data from other vehicles; andobtaining the comparable data based on the observational data.

According to a disclosed embodiment, the at least one anomalycorresponds to specific memory locations used by the ECU.

According to a disclosed embodiment, the at least one anomalycorresponds to specific sequences of memory locations used by the ECU.

According to a disclosed embodiment, the at least one anomalycorresponds to at least one peak in data flow in or out of the ECU.

According to a disclosed embodiment, the at least one anomalycorresponds to at least one peak in data processing by a processor ofthe ECU.

According to a disclosed embodiment, the at least one anomalycorresponds to at least one anomaly in power consumption of the ECU.

According to a disclosed embodiment, the control action comprises atleast one of: sending an alert associated with the ECU, blocking aninstruction sent from the ECU, or rolling back a version of softwarerunning on the ECU to a prior version of software.

According to a disclosed embodiment, a system may be implemented foridentifying ECU anomalies in a vehicle. The system may comprise: one ormore processors; and one or more memories having instructions that, whenexecuted by the one or more processors, cause the one or more processorsto perform the operations of: monitoring data representing real-timeprocessing activity of the ECU; receiving comparable data relating toprocessing activity of at least one other ECU deemed comparable infunctionality to the ECU; comparing the real-time processing activitydata with the comparable data, to identify at least one anomaly in thereal-time processing activity of the ECU; and implementing a controlaction for the ECU when the at least one anomaly is identified.

According to a disclosed embodiment, the control action comprisesissuing a prompt to adjust the ECU from executing a first version of ECUsoftware to a second version of ECU software.

According to a disclosed embodiment, a method may be implemented foridentifying ECU anomalies in a vehicle. The method may comprise:monitoring data representing real-time processing activity of the ECU;receiving comparable data relating to processing activity of at leastone other ECU deemed comparable in functionality to the ECU; comparingthe real-time processing activity data with the comparable data, toidentify at least one anomaly in the real-time processing activity ofthe ECU; and implementing a control action for the ECU when the at leastone anomaly is identified.

Aspects of the disclosed embodiments may include tangiblecomputer-readable media that store software instructions that, whenexecuted by one or more processors, are configured for and capable ofperforming and executing one or more of the methods, operations, and thelike consistent with the disclosed embodiments. Also, aspects of thedisclosed embodiments may be performed by one or more processors thatare configured as special-purpose processor(s) based on softwareinstructions that are programmed with logic and instructions thatperform, when executed, one or more operations consistent with thedisclosed embodiments.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory only,and are not restrictive of the disclosed embodiments, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate disclosed embodiments and,together with the description, serve to explain the disclosedembodiments. In the drawings:

FIG. 1A is a block diagram of an example system in accordance withdisclosed embodiments.

FIG. 1B is an illustration of a system environment in which delta filesmay be created and deployed, and ECU operations may be monitored inaccordance with disclosed embodiments.

FIG. 1C is an illustration of a vehicle communications network inaccordance with disclosed embodiments.

FIG. 2 is an illustration depicting an exemplary ECU software updateprocess in accordance with disclosed embodiments.

FIG. 3 is an illustration depicting an example process to generate adelta file in accordance with disclosed embodiments.

FIG. 4 is an illustration depicting startup code configured to update aprogram counter of an ECU in accordance with disclosed embodiments.

FIG. 5 is an illustration depicting a delta file that includes codechanges to different segments of code in accordance with disclosedembodiments.

FIG. 6 is an illustration depicting a delta file made available to anECU for an update in accordance with disclosed embodiments.

FIG. 7 is another illustration depicting a delta file made available toan ECU for an update in accordance with disclosed embodiments.

FIG. 8 is a further illustration depicting a delta file made availableto an ECU for an update in accordance with disclosed embodiments.

FIG. 9 is an illustration depicting a timeline view of software updatesmade available to an ECU in accordance with disclosed embodiments.

FIG. 10 is an exemplary flowchart showing a process for generating anupdate package for updating software on an ECU in a vehicle inaccordance with disclosed embodiments.

FIG. 11 is an exemplary flowchart showing a process for receiving andintegrating a delta file in a vehicle in accordance with disclosedembodiments.

FIG. 12 is an exemplary flowchart showing a process for performingupdates to ECU software while an ECU of a vehicle is operating inaccordance with disclosed embodiments.

FIG. 13 is an exemplary flowchart showing a process for adjustingvehicle ECU software versions in accordance with disclosed embodiments.

FIG. 14 is an exemplary flowchart showing a process for identifying ECUanomalies in a vehicle in accordance with disclosed embodiments.

FIG. 15 is an exemplary flowchart showing a process for identifying ECUanomalies in a vehicle in accordance with disclosed embodiments.

FIG. 16 is an exemplary flowchart showing a process foropportunistically updating ECU software in a vehicle in accordance withdisclosed embodiments.

FIG. 17 is an exemplary flowchart showing a process for automaticallyproviding updates to one or more vehicles in accordance with disclosedembodiments.

FIG. 18 is an exemplary flowchart showing a process for reporting ECUerrors to a remote monitoring server in accordance with disclosedembodiments.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of the disclosedexample embodiments. However, it will be understood by those skilled inthe art that the principles of the example embodiments may be practicedwithout every specific detail. Well-known methods, procedures, andcomponents have not been described in detail so as not to obscure theprinciples of the example embodiments. Unless explicitly stated, theexample methods and processes described herein are not constrained to aparticular order or sequence, or constrained to a particular systemconfiguration. Additionally, some of the described embodiments orelements thereof can occur or be performed simultaneously, at the samepoint in time, or concurrently.

Reference will now be made in detail to the disclosed embodiments,examples of which are illustrated in the accompanying drawings.

FIG. 1A is a block diagram of an example system 100 in accordance withdisclosed embodiments. As shown, system 100 includes one or more server(or computer) 102 configured to communicate with one or more vehicles104 over a communication channel 106. Communication channel 106 mayinclude a bus, a cable, a wireless communication channel, a radio-basedcommunication channel, the Internet, a local area network (LAN), awireless local area network (WLAN), a wide area network (WAN), acellular communication network, or any Internet Protocol (IP) basedcommunication network and the like. In some embodiments, communicationchannel 106 may be based on public cloud infrastructure, private cloudinfrastructure, hybrid public/private cloud infrastructure, or no cloudinfrastructure. In such differing embodiments, server 102 and vehicles104 may each be in the same, or in different, networks or networksegments. In some embodiments, vehicles 104 may be equipped with one ormore compatible receivers configured to support communications withserver 102 via communication channel 106. The receivers are not shown inFIG. 1A for illustrative simplicity.

Server 102 may include at least one processor 108. In embodimentsinvolving multiple servers (e.g., a server farm), processor 108 mayinclude one or more dedicated processing units, application-specificintegrated circuits (ASICs), field-programmable gate arrays (FPGAs), orvarious other types of processors or processing units coupled with atleast one non-transitory processor-readable memory 110 configured forstoring processor-executable code. When the processor-executable code isexecuted by processor 108, processor 108 may carry out various differentinstructions (e.g., to determine whether one or more ECUs installed inone or more vehicles 104 need to be updated, etc.). Processor 108 mayalso carry out instructions to generate update packages for the ECUswhen it is determined that one or more ECUs installed in one or morevehicles 104 need to be updated. As discussed below, processor 108 mayalso perform various other functions.

It is contemplated that server 102 may be configured to serve varioustypes of users. For example, an automaker may utilize server 102 togenerate and rollout software updates to ECUs installed on vehiclesmanufactured by the automaker. In another example, a componentmanufacturer (e.g., an ECU developer, or manufacturer whose products useECUs) may utilize server 102 to generate and rollout software updates toECUs produced or maintained by that component manufacturer. In stillanother example, a service provider (e.g., a dealership or a servicecenter) may utilize server 102 to update ECUs installed on vehicles thatare being serviced at the service provider. It is to be understood thatwhile only one server 102 is depicted in FIG. 1A, such a depiction ismerely exemplary and is not meant to be limiting. It is contemplatedthat more than one server 102 may be utilized, and that different usersmay utilize different servers 102 to generate and rollout softwareupdates to ECUs without departing from the spirit and scope of thepresent disclosure.

FIG. 1B is an exemplary illustration of system environments in whichdelta files and software updates may be generated and monitored. Asillustrated, a production toolchain 122 may be a group of programmingsystems or tools for developing and distributing software that runs onvehicle ECUs (e.g., ECU 112). Production toolchain 122 may include thesoftware components (e.g., compiler, linker, libraries, etc.) fordeveloping and implementing software on vehicle ECUs. As discussedfurther below, the embodiments of this disclosure relate to generatingdelta files for software updates, and may be generated based oninformation from the production toolchain 122. For example, as discussedbelow, the map file, source, and binary data elements used to builddelta files (e.g., in connection with FIG. 3) may come from theproduction toolchain 122. Software updates may be developed as deltafiles 124, which may be delivered to vehicles over the air, as discussedfurther in connection with FIG. 1A.

FIG. 1B also illustrates a dependency management system 126, faultanalytics system 128, update management system 130, and reporting system132. In various embodiments discussed below, the dependencies betweensoftware versions may be expressed as a map file defining therelationships and dependencies between functions and entities in thesoftware, the size of the software, specific memory addresses, specificfunctions or commands corresponding to memory locations, etc. Further,dependency management system 126 may identify dependencies between ECUs.For example, when a software update is performed for one ECU, the updatemay cause the ECU to be unable to communicate (or to incorrectlycommunicate) with one or more other ECUs. This may occur, for example,if the software update affects the network address of an ECU, theprotocol of communications the ECU will use, the incoming or outgoingcommunications policies of the ECU, the headers or payload ofcommunications from the ECU, the timing of communications from the ECU,or various other attributes of the ECU's functionality. In order toprevent conflicts that arise when a software update is performed on anECU and other interdependent ECUs are affected, dependency managementsystem 126 may be configured to maintain lists or mappings ofdependencies between ECUs. The lists or mappings may identifyinterdependent ECUs, and may also further specify reasons for theirinterdependency (e.g., particular formats of data communications thatare expected or required, particular network addresses, particularcommunications timing requirements, etc.). This information may bemaintained by dependency management system 126, and may be periodicallyupdated (e.g., from server 102).

Further, as discussed below, various anomalies, errors, and faults maybe detected in the operation of ECUs. Such data, and algorithms fordetecting such events, may be managed by fault analytics system 128.Update management system 130 may be responsible for determining when ECUsoftware updates should be developed or transmitted, which vehicles orspecific ECUs should receive the updates, and various other types ofinformation. Reporting system 132 may be configured to receive updatesfrom vehicles (e.g., observed activity of ECUs) or deliver reports tovehicles (e.g., regarding updates to perform). In some embodiments,dependency management system 126, fault analytics system 128, updatemanagement system 130, and reporting system 132 may be implemented inserver 102, or separately.

FIG. 1C is an illustration of the architecture in a vehiclecommunications network (e.g., in vehicle 104-a, 104-b, 104-c, 104-d, or104-e). For example, a telematic control unit (TCU) 134 may beintegrated into the network to perform various tracking features for thevehicle. In some embodiments, TCU 134 may include an integrated orseparate telecommunications transceiver (e.g., cellular, WiFi,satellite, etc.), a global positioning system (GPS) transceiver, and acontroller for interfacing with other components of the vehiclecommunications network. The network may also include a gateway 136,which may be the central point of communications with an outside network(e.g., server 102) and the internal network of the vehicle. In someembodiments, gateway 136 may interface with an orchestrator (discussedfurther below), which controls one or more operations of ECUs 112 in thevehicle. The network may further include an onboard diagnostics port138, which may be a physical port allowing a wired connection to thevehicle network for diagnostics, maintenance, and other functions. Inaddition, the vehicle network may include various ECUs, such as ECUs112, 112 a, 112 b, 112 c, and others. As illustrated, ECU 112 may beconfigured with software instructions for fault detection and downtimeprediction 140, integrated rollback 142 to prior versions of ECUsoftware, and unified diagnostic services (UDS) updates 144, among otheroperations. These functions are further discussed below.

FIG. 2 is an illustration depicting an exemplary ECU software updateprocess carried out by server 102 to update software of an exemplary ECU112. In some embodiments, the process may be performed locally in avehicle rather than at the server 102 (e.g., through an orchestrator inthe vehicle that manages ECUs 118). As shown in FIG. 2, server 102 mayaccess information regarding both a new version of the ECU software (maybe referred to as software update 202) to be used by ECU 112 and thecurrent version of the ECU software (may be referred to as currentsoftware 204) used by ECU 112. Server 102 may access informationregarding software update 202 in various manners. In some embodiments,automakers or component manufacturers responsible for developing ormaintaining the ECU software may provide a copy of software update 202to be stored locally on server 102. In some embodiments, a work stationused to develop software update 202 may be configured to serve as server102. In some embodiments, automakers or component manufacturers may alsostore copies of software update 202 in one or more network storagedevices that are accessible to server 102. In some embodiments, softwareupdate 202 may be provided as a monolithic file. In some embodiments,software update 202 may be provided as a file interdependent on otherfiles.

Server 102 may access information regarding current software 204 used byECU 112 in various manners. In some embodiments, server 102 may queryECU 112 (e.g., via communication channel 106) for its software versionnumber. In some embodiments, server 102 may request direct access to amemory device (e.g., a flash memory, RAM, ROM, etc.) 120 where currentsoftware 204 used by ECU 112 is stored. In some embodiments, server 102may keep a record of software versions deployed to ECUs and use therecord to determine the version of current software 204 used by ECU 112.It is contemplated that while specific implementations may vary, as longas server 102 can access information regarding both software update 202and current software 204, server 102 can compare attributes of bothsoftware update 202 and current software 204 and generate a delta filerepresenting the differences between attributes of software update 202and the corresponding attributes of current software 204, as furtherdiscussed below.

FIG. 3 is an illustration depicting an example process carried out byserver 102 to generate such a delta file. As shown in FIG. 3, server 102may compare attributes including the source, the binary code, and themap file of software update 202 with their corresponding attributes ofcurrent software 204. As discussed above, these attributes may beobtained directly from the production toolchain 122 (e.g., as part of,or following, the software build and deploy processes). The sourceattribute may identify, for example, the source code language, version,whether the source code is flat, the number or type of objectsreferenced in the source code, and other attributes. The binaryattribute may be represented as Executable and Linkable Format (ELF)code (e.g., with program header, section header, data, etc.), as purebinary, or in other forms. The map file may describe relationships anddependencies between functions and entities in the software 202 and/or204, the size of the software, specific memory addresses, specificfunctions or commands corresponding to memory locations, etc.

Representing software update 202 and current software 204 in terms oftheir source, binary code, and map file attributes may be referred to asa “grid” representation, and a comparison between a grid representingsoftware update 202 and a grid representing current software 204 may bereferred to as a multi-dimensional (e.g., three-dimensional differential(or 3Diff) comparison). In some embodiments, fewer or additionaldimensions may be used as well. Such a 3Diff comparison, or othermulti-dimensional comparison, may be utilized to produce a delta file206 that may include data representing changes made to the binary and/orthe source code 210 of ECU 112, changes made to one or more variables212 used by ECU 112, and changes made to memory addresses 214 referencedby ECU 112. Notably, such a 3Diff file may represent the differencesbetween software update 202 and current software 204, so that currentsoftware 204 can be upgraded to software update 202 by receiving onlythe 3Diff file, and not the entire software update 202 itself.

Also shown in FIG. 3 is a startup code 208, which may be integrated into3Diff or delta file 206. Alternatively, startup code 208 may be a partof current software 204 and not a part of delta file 206. For example,in such embodiments, startup code 208 may be the preexisting startup orinitialization code associated with an ECU and its software.

In some embodiments, server 102 may configure startup code 208 toinitialize a runtime library of delta file 206. In some embodiments, forexample, server 102 may configure startup code 208 to update a programcounter of ECU 112 to skip certain code contained in current software204 and execute certain code contained in delta file 206 instead. Forexample, as shown in FIG. 4, startup code 208 may be configured toupdate the program counter of ECU 112 so that ECU 112 may skip a segmentof code contained in current software 204 (depicted as program counterupdate “1” in FIG. 4) and execute a segment of code contained in deltafile 206 instead (depicted as program counter update “2” in FIG. 4).Server 102 may also configure startup code 208 to update the programcounter of ECU 112 so that after the execution of the segment of codecontained in delta file 206, the program counter may link the executionback to the code contained in current software 204 (depicted as programcounter update “3” in FIG. 4). In this manner, the segment of codecontained in delta file 206 can be placed anywhere in memory 120, andthe program counter of ECU 112 can be used to load that segment of codeinto a memory (e.g., flash, RAM, etc.) of ECU 112 for execution. Inother words, the code contained in delta file 206 may beposition-independent and can be placed in memory 120 without requiringECU 112 to erase any existing contents of memory 120. Further, startupcode 208 may be configured to extract the delta data from the 3Diff ordelta file 206, and store it on the memory (e.g., flash, RAM, ROM, etc.)of the ECU 112. The data may include data used during runtime of thesoftware 202/204. The startup code may also determine if old contents ofthe memory in the ECU 112 need to be erased (e.g., because storage spaceis almost full).

It is to be understood that using the program counter of ECU 112 to loadthe code contained in delta file 206 into the memory of ECU 112 ispresented merely as an example and is not meant to be limiting. In someembodiments, a bootstrap loader (e.g., a program that resides in thememory of ECU 112) may be used to load the code contained in delta file206 into the memory of ECU 112 instead or in conjunction. It is to beunderstood that other techniques may also be used to load the codecontained in delta file 206 into the memory of ECU 112 for executionwithout departing from the spirit and scope of the present disclosure.

It is also to be understood that while FIG. 4 depicts redirecting theprogram counter of ECU 112 from one segment of code contained in currentsoftware 204 to another segment of code contained in delta file 206,such a depiction is merely exemplary. It is contemplated that codechanges 210 contained in delta file 206 may represent changes made tomore than one segment of code contained in current software 204. Forexample, as shown in FIG. 5, delta file 206 may include code changes tothree different segments of code referred to as “Symbol 1,” “Symbol 2,”and “Symbol 3.” It is contemplated that these code changes may behandled in manners similar to that described above. That is, the startupcode contained in delta file 206 (or, alternatively, in current software204), may update the program counter of ECU 112 to skip certain segmentsof code (i.e., symbols) contained in current software 204 of ECU 112 andload the corresponding segments of code (i.e., the correspondingsymbols) contained in delta file 206 into the memory (e.g., flash, RAM,etc.) of ECU 112 for execution instead.

In some embodiments, ECU 112 may utilize a virtual file system (VFS) 230to manage the symbols. As discussed herein, VFS 230 may be a variety ofdifferent types of virtual file systems, databases, or lists. VFS 230may provide an abstraction of the software 202/204, and may express theelements of the 3Diff file (e.g., source, binary, and map fileattributes). In some embodiments, ECU 112 may utilize VFS 230 to trackdifferent versions of the symbols. For example, as shown in FIG. 6, if asecond delta file 216 (representing changes made in a second softwareupdate) is made available to ECU 112, and if second delta file 216contains Version 2 of code changes made to Symbol 1 and Symbol 2, ECU112 may utilize VFS 230 to track the different versions of the symbolsand determine the correct version to be used for execution. If a thirddelta file 226 (representing changes made in a third software update) ismade available to ECU 112, and if third delta file 226 contains Version3 of code changes made to Symbol 1, ECU 112 also may utilize VFS 230 totrack Version 3 of Symbol 1, as shown in FIG. 7.

In some embodiments, ECU 112 may utilize VFS 230 to roll back certainchanges to ECU 112's software if needed. For example, upon detection ofcertain anomalies (details of which will be described later) in theperformance of ECU 112, server 102 may determine that Version 3 ofSymbol 1 should be rendered non-executable (or disabled) and that theECU software should be reverted back to a previous version (e.g., thesecond software update). Server 102 may achieve this by prompting ECU112 to roll back to the second software update, and ECU 112 may in turnutilize VFS 230 to reinstitute Symbol 1, Version 2 (and disable Symbol1, Version 3) by updating memory addresses in ECU 112 corresponding tothese symbols, as shown in FIG. 8. Effectively, Version 3 of Symbol 1may be removed from the memory (e.g., flash, RAM, etc.) of ECU 112 andVersion 2 of Symbol 1 may be loaded into the memory of ECU 112 forexecution instead. Notably, however, there is no need to delete Version3 of Symbol 1 and download an entire copy of Version 2 of Symbol 1.Instead, as discussed further below, the ECU 112 may simply receive adelta file 206 identifying the updates to the ECU 112's memory that needto be updated (based on the source, binary, and map file attributes) toaccomplish the reversion back to Version 2 of Symbol 1. Using thistechnique, bandwidth is reduced in the transmission to ECU 112 andmemory space in ECU 112 is also saved. This technique is discussedfurther below.

Referring now back to FIG. 3. It is noted that in addition to handlingcode changes, server 102 may also configure startup code 208 to handlechanges made to variables used by ECU 112 as well as changes made tomemory addresses referenced by ECU 112. Specifically, in someembodiments, server 102 may configure startup code 208 to extractvariable change data 212 from delta file 206 and place the extractedvariable data (if any) into the memory (e.g., flash, RAM, etc.) of ECU112. As noted above, startup code 208 may be located in the delta file206 itself, or in the current software 204. Server 102 may alsoconfigure startup code 208 to include instructions to delete old(outdated) variable data from the memory of ECU 112. Server 102 mayfurther configure startup code 208 to extract memory addresses changedata 214 (if any) from delta file 206 and update the memory addresses inECU 112 accordingly. In this manner, server 102 may simply place deltafile 206 into memory 120 without having to make any changes to currentsoftware 204, and let ECU 112 execute startup code 208 contained indelta file 206 or current software 204 to link current software 204 anddelta file 206 together to form a functional equivalent of softwareupdate 202 without the need to reboot ECU 112.

In some embodiments, delta file 206 may be implemented as a standardhexadecimal or binary file (or other types, such as S Record, Motorola™,and others), which can be readily processed by ECU 112. In someembodiments, ECU 112 may continue its operation (e.g., continue toexecute code contained in current software 204) as delta file 206 isbeing placed into memory 120. In some embodiments, ECU 112 maydefragment memory 120 after completing the update process describedabove. It is contemplated, however, that defragmenting memory 120 mayonly needed infrequently, and not for every software update.

The update process may be repeated a number of times as subsequentsoftware updates become available. As illustrated in FIG. 9, supposethat, at time T1, a first software update is made available and server102 generated delta file 206 and provided delta file 206 to ECU 112.Once delta file 206 is received at ECU 112 (and stored into memory 120),ECU 112 may execute delta file 206 based on the startup code containedtherein and link delta file 206 to software 204 of ECU 112 as describedabove. If, at time T2, a second software update becomes available toreplace the first software update, server 102 may repeat the processdescribed above (e.g., compare the second software update to software204 of ECU 112, generate a second delta file 216, and provide seconddelta file 216 to ECU 112). Once second delta file 216 is received atECU 112 (and stored into memory 120), ECU 112 may execute second deltafile 216 based on the startup code contained therein and link seconddelta file 216 to software 204 of ECU 112. Similarly, if, at time T3, athird software update becomes available, server 102 may provide a thirddelta file 226 to ECU 112, and ECU 112 may link third delta file 226 tosoftware 204 of ECU 112 accordingly.

Also illustrated in FIG. 9 is the ability for server 102 to roll back aparticular software update. For example, upon detection of certainanomalies (details of which will be described later) at time T4, server102 may determine that the third software update should be renderednon-executable and that the ECU software should be reverted back to aprevious version (e.g., the second software update). Server 102 mayachieve this by prompting ECU 112 to remove the link between third deltafile 226 and software 204 of ECU 112 (e.g., rendering the code changescontained in delta file 226 non-executable, as previously described withreference to FIG. 8), and re-execute the startup code contained insecond delta file 216 to re-establish the link between second delta file216 and software 204 of ECU 112, as shown in FIG. 9.

In some embodiments, ECU 112 may be configured to keep third delta file226 in memory 120 after the rollback operation. Keeping third delta file226 in memory 120 may allow ECU 112 to re-activate the third softwareupdate later if needed.

In some embodiments, server 102 may purposely push third delta file 226into memory 120 as a way to prepare ECU 112 for a future update. Server102 may, for example, instruct ECU 112 to temporarily bypass the startupcode contained in third delta file 226 when third delta file 226 ispushed into memory 120. The link between second delta file 216 andsoftware 204 of ECU 112 may therefore remain in place until such a timewhen server 102 instructs ECU 112 to execute the startup code containedin third delta file 226 (or in current software 204), which may thenlink third delta file 226 to software 204 of ECU 112 and complete thedeployment of the third software update. It is contemplated that such anoperation may be referred to as a roll forward, which may be utilized asa technique to coordinate the roll out of ECU software updates.

It is noted, however, that the number of delta files that can be storedin memory 120 may be limited due to its storage capacity. Therefore, insome embodiments, ECU 112 may be configured to identify specificcontents stored in memory 120 for deletion when ECU 112 determines thatthe utilization of memory 120 is above a threshold (e.g., 75% or 90%full). In some embodiments, ECU 112 may identify contents for deletionbased on their corresponding creation date, version number, file size,or the like. For example, an old delta file that has not been used for along time may be a good candidate for deletion. In some embodiments, ECU112 may also choose to replace its memory content entirely. For example,instead of keeping its original software plus multiple delta filesreceived over the years, ECU 112 may decide to erase the entire contentof memory 120 and replace it with a clean copy of the most recent ECUsoftware. ECU 112 may continue to use the delta file-based updateprocess described above for future updates.

Referring now generally to FIG. 1A. It is noted that while thedescriptions above provided various examples illustrating efficienttechniques for server 102 to provide software updates to vehicles 104via communication channel 106, vehicles 104 may also utilizecommunication channel 106 to provide information to server 102 tofurther enhance the software update process.

For example, in some embodiments, vehicle 104-b may include at least oneprocessor 114 coupled with at least one non-transitoryprocessor-readable memory 116 configured for storingprocessor-executable code. When the processor-executable code isexecuted by processor 114, processor 114 may carry out instructions tomonitor real-time processing activities of ECU 112 and identify ECUanomalies. In some embodiments, processor 114 may provide informationregarding ECU anomalies to server 102 and/or other vehicles 104.

For illustrative purposes, a processor 114 configured to monitorreal-time processing activities of ECU 112 and provide informationregarding ECU anomalies to server 102 and/or other vehicles 104 may bereferred to as an orchestrator 114. In some embodiments, orchestrator114 may be implemented as a unit separated from ECU 112. However, it iscontemplated that orchestrator 114 and ECU 112 may share certainhardware component without departing from the spirit and scope of thepresent disclosure. In additional embodiments, orchestrator 114 may beconfigured to perform machine learning or artificial intelligencefunctions (e.g., based on data from ECUs, from ECUs in fleets ofvehicles, etc.), as discussed further below.

In some embodiments, orchestrator 114 may be configured to accesshistorical data relating to processing activity of ECU 112. In someembodiments, the historical data may be logged in memory 116 previouslyby ECU 112 or by orchestrator 114. The historical data may representexpected processing activity of ECU 112. Orchestrator 114 may comparethe real-time processing activity data with the historical data toidentify one or more anomalies in the real-time processing activity ofECU 112. In some embodiments, orchestrator 114 may implement varioustypes of statistical models to carry out the comparison. In someembodiments, orchestrator 114 may implement various types of dataprocessing techniques, including machine learning techniques, toidentify the anomalies.

In some embodiments, orchestrator 114 may be configured to report itsfindings to server 102 (e.g., via communication channel 106).Alternatively or additionally, in some embodiments, orchestrator 114 mayimplement one or more control actions for ECU 112 when it identifies oneor more anomalies. The control action may include, for example, issuingan alert associated with ECU 112, blocking an instruction sent from ECU112, or issuing a prompt to ECU 112 and requesting ECU 112 to adjustfrom executing one version of ECU software to another (e.g., roll back aversion of ECU software running on the ECU to a prior version of ECUsoftware).

It is contemplated that orchestrator 114 configured in accordance withdisclosed embodiments may be able to detect various types of anomalies.For example, in some embodiments, the detected anomalies may correspondto specific memory locations used by ECU 112. If ECU 112 attempts toaccess a memory location outside of the specific memory locations,orchestrator 114 may identify such an activity as an anomaly. In someembodiments, the detected anomalies may correspond to specific sequencesof memory locations used by ECU 112. If ECU 112 attempts to accessmemory locations in an order that is incompatible with the specificsequences, orchestrator 114 may identify such an activity as an anomaly.In some embodiments, the detected anomalies may correspond to at leastone peak in data flow in or out of ECU 112. If data flowing in or out ofECU 112 is abnormally high, orchestrator 114 may report an anomaly. Insome embodiments, the detected anomalies may correspond to at least onepeak in data processing by one or more processors of ECU 112. If dataprocessing by one or more processors of ECU 112 is abnormally high,orchestrator 114 may report an anomaly. In some embodiments, thedetected anomalies may correspond to at least one anomaly in powerconsumption of ECU 112. If power consumption of ECU 112 is abnormallyhigh, orchestrator 114 may report an anomaly.

In some embodiments, orchestrator 114 may be configured to monitor otherECUs in addition to ECU 112. In some embodiments, orchestrator 114 maybe configured to monitor real-time processing activities of multipleECUs in vehicle 104-b. For example, in some embodiments, orchestrator114 may be configured to receive comparable data relating to processingactivities of at least one other ECU 118 deemed comparable to ECU 112.

It is contemplated that ECU 118 and ECU 112 may be deemed comparable bytheir manufacturers or developers. ECU 118 and ECU 112 may also bedeemed comparable based on their control functions and/or rulesassociated with ECU software running on ECU 118 and ECU 112. Forexample, if ECU 118 and ECU 112 have established that theircorresponding sequences of execution are sufficiently similar, ECU 118and ECU 112 may be deemed comparable. In another example, if ECU 118 andECU 112 both suffer from similar malicious sequences of executions, ECU118 and ECU 112 may be deemed comparable. In yet another example, if themap files of ECU 118 and ECU 112 are sufficiently similar, ECU 118 andECU 112 may be deemed comparable. In still another example, orchestrator114 may communicate with processors located on other vehicles 104 (e.g.,via communication channel 106) to observe which ECUs the other vehicles104 may consider to be comparable. Orchestrator 114 may then determinewhich ECUs located in vehicle 104-b may be considered comparable basedon its observation of other vehicles 104.

In some embodiments, orchestrator 114 may be configured to comparereal-time processing activity data received from ECU 112 with thecomparable data received from ECU 118 to identify one or more anomaliesin the real-time processing activity of ECU 112. In some embodiments,the comparable data received from ECU 118 may represent real-timeprocessing activity data received from ECU 118. Alternatively oradditionally, in some embodiments, the comparable data received from ECU118 may include previously recorded activity data obtained from ECU 118.

In some embodiments, orchestrator 114 may implement various types ofstatistical models to carry out the comparison between the real-timeprocessing activity data received from ECU 112 and the comparable datareceived from ECU 118. In some embodiments, orchestrator 114 mayimplement various types of data processing techniques, including machinelearning techniques, to identify anomalies. In some embodiments,orchestrator 114 may be configured to report its findings to server 102.Alternatively or additionally, in some embodiments, orchestrator 114 mayimplement one or more control actions for ECU 112 when it identifies oneor more anomalies.

In some embodiments, orchestrator 114 may be configured toelectronically poll ECUs in vehicle 104-b to determine if the ECUs areproperly responding to the poll. Orchestrator 114 may then identify oneor more ECU errors or faults associated with one or more ECUs in vehicle104-b. An example of a fault may be an ECU performing an operation adifferent number of times per time interval than expected or allowed. Ifan ECU error or fault is identified, orchestrator 114 may also collectdata related to the operation of the ECU and the identified ECU error.Orchestrator 114 may send a report from vehicle 104-b to server 102identifying the ECU and the identified ECU error. Server 102 may utilizethe report for various purposes, including identification of errors anddevelopment of bug fixes.

It is to be understood that while the term “orchestrator” is used in theexample above, the term is not meant to be limiting. It is contemplatedthat an orchestrator may be configured to electronically poll ECUs invehicles to determine if the ECUs are properly responding to a poll. Inaddition, the orchestrator 114 may utilize machine learning orartificial intelligence techniques to determine if ECUs are properlyoperating (e.g., are operating within acceptable or expected behavioralenvelopes). For example, the orchestrator 114 may be configured tomonitor the top functionalities (e.g., top 10 or 100 functionalities) inan ECU (or multiple ECUs), and develop a model or map of observedfunctioning. When a deviation from this model or map is detected, ananomaly may be declared. In some embodiments, orchestrator 114 may beimplemented as a particular ECU (e.g., ECU 112 in FIG. 1), while otherECUs are configured to report (e.g., via push or pull) data to theorchestrator 114 ECU. In this way, the orchestrator 114 ECU may gatherdata to be used in machine learning or artificial intelligence regardingthe observed and expected functionality of other ECUs.

In some embodiments, the orchestrator 114 may participate in apredictive maintenance or self-healing process for ECUs in a vehicle.Such approaches may be based on a distributed, artificial immune system(AIS) framework. In particular, ECUs throughout a vehicle may beconfigured to report (e.g., via push or pull) data regarding theiroperations and functionality to orchestrator 114 (or anotherAIS-configured ECU) for machine learning and artificial intelligence.The orchestrator 114 (or another AIS-configured ECU) may performalgorithms on the received data to detect software anomalies, errors(e.g., runtime errors), and faults (e.g., drifting). Such anarchitecture may be efficient and low impact, since it distributes ECUreporting broadly among many ECUs, and is still capable of tracking manydifferent parameters of ECU performance. Further, the orchestrator 114(or another AIS-configured ECU) may perform the analysis autonomouslyand adaptively, reflecting the continuously changing nature of ECUoperations within the vehicle. Based on the machine learning orartificial intelligent functions of orchestrator 114 (or anotherAIS-configured ECU), recommended changes may be suggested orautomatically implemented to maintain the health of the vehicle's ECUs(e.g., performing a software roll-back, performing a software update,etc.). In some embodiments, the machine learning or artificialintelligence functions are performed at a server (e.g., server 102), andmay provide recommended changes for entire fleets of vehicles (e.g.,those sharing similar ECUs, similar software versions, etc.).

The system architecture for orchestrator 114 (or another AIS-configuredECU) may be multi-tiered. In some embodiments, the orchestrator 114 orserver 102 serves as a central node, and individual ECUs that reportoperational or functional data to it are child or edge nodes. A firsttier (e.g., Tier 1) may perform low-profile monitoring of ECU behavior.For example, this may involve applying machine learning models orartificial intelligence algorithms to analyze the activity of individualECUs or groups of ECUs. This may account for ECU memory footprints, CPUprocessing activity, functions called, sequences of functions called,etc.). A second tier (e.g., Tier 2) may operate on an on-demand basis.For example, if the machine learning or artificial intelligence tierdetects a potential anomaly in the operational behavior of an ECU, Tier2 may be reached, which may involve further analysis of the ECU inquestion (e.g., a memory stack analysis, reporting information regardingthe ECU anomaly to the orchestrator 114 or server 102, etc.). Similarly,in a third tier of operations (e.g., Tier 3), samples of the ECUoperations (e.g., the memory locations being called, software version,delta file version, copy of the software, etc.) may be transmitted backto orchestrator 114 or server 102 for further analysis. In a fourth tierof operations (e.g., Tier 4), a determination may be made to perform acontrol action for the ECU or group of ECUs at issue. This may include,for example, rolling the software back to a prior version (e.g., basedon a delta file for the prior version), activating a safe mode for theECU (e.g., blocking network communications, regulating functionality,etc.), or other forms of control for the ECUs.

It is to be understood that the orchestrator 114 may be implementedutilizing one or more processors 114 located in vehicle 104-b. In someembodiments, the orchestrator may be implemented on processor 114 or aseparate processor in the vehicle. In some embodiments, the orchestratormay be implemented remotely (e.g., via server 102). For illustrativesimplicity, the description below will reference a processor configuredto electronically poll ECUs in vehicles to determine if the ECUs areproperly responding to the poll, or perform machine learning orartificial intelligence functions, as an orchestrator.

In some embodiments, the orchestrator may poll an ECU in vehicle 104-bby sending a request message to the ECU and wait for the ECU to provideone or more response messages. The orchestrator may refer to, forexample, the integrated hardware counter or monitor in a processor(e.g., ECU processor) that detects whether a program is continuing torun. The orchestrator may determine that an ECU has performed or causedan error or fault when a failure to respond to a poll is detected. Asdiscussed above, errors and faults may include runtime errors, stackoverflow errors, “drifting” of an application execution profile (e.g.,becoming slower, faster, or occurring over a longer or shorter period),etc.

In some embodiments, the orchestrator may poll multiple ECUs in vehicle104-b to determine whether the ECUs are executing ECU software that hasa potential impact on one or more hardware components of vehicle 104-b.For example, if after updating ECU 112, multiple ECUs that interact withthe transmission start to exhibit erroneous behaviors, the orchestratormay determine that the software update for ECU 112 has a potentialimpact on the transmission of vehicle 104-b. The orchestrator may alsocollect report data from the various ECUs (e.g., including ECUidentifiers and/or data indicating a last-known poll of the ECUs) aswell as report data from the various hardware components of vehicle104-b (e.g., including the transmission). The orchestrator may alsoperform statistical analysis, machine learning, or artificialintelligence functions based on the reported data, as discussed furtherbelow.

In some embodiments, the orchestrator may determine whether thepotential impact or anomaly in an ECU is detrimental. For example, ifthe orchestrator determines, based on the reported data, that theaverage temperature of the transmission during normal operations hasincreased by a few degrees, the orchestrator may determine that thepotential impact to the transmission is detrimental. Alternatively oradditionally, in some embodiments, the orchestrator may be configured toprovide the reported data to server 102 and let server 102 (or its user)to determine whether the potential impact is detrimental.

In some embodiments, the orchestrator may determine a probability ofdowntime for the ECUs based on the reported data. The orchestrator maymake this determination based on a statistical model or past behaviors,including the machine learning and artificial intelligence techniquesdiscussed below. In some embodiments, the orchestrator may be configuredto report its determination to server 102. In further embodiments, asdiscussed below, the orchestrator may implement one or more controlactions for ECU 112 when it is determined that the potential impact isdetrimental, or when the probability of downtime exceed a certainthreshold.

Referring now generally to the vehicle network 100 shown in FIG. 1A. Itis contemplated that some of the functionalities provided by theorchestrator described above may be carried out over network 106 inaddition to (or instead of) being carried out by processors 114 locatedon vehicles 104. For example, in some embodiments, server 102 may beconfigured to receive ECU activity data from one or more reportingvehicles 104 via communication channel 106. In some embodiments,reporting vehicles 104 may include vehicles that are being monitored asa group. In some embodiments, the reporting vehicles may include a setof vehicles having a common type of ECU (e.g., if vehicles 104-a, 104-b,and 104-c all have the same type of ECU, vehicles 104-a, 104-b, and104-c may be monitored as a group) or common software version.

In some embodiments, the ECU activity data may correspond to actualoperations of one or more ECUs operating in the group of vehicles (e.g.,vehicles 104-a, 104-b, and 104-c in the example above). In someembodiments, server 102 may be configured to determine, based on the ECUactivity data, software vulnerabilities affecting vehicles 104-a, 104-b,and 104-c. In some embodiments, server 102 may implement various typesof statistical models to determine software vulnerabilities based on ECUactivity data. For example, in some embodiments, server 102 maydetermine software vulnerabilities based on a deviation between thereceived ECU activity data and expected (or historical) ECU activitydata. In some embodiments, server 102 may implement various other typesof data processing techniques, including machine learning techniques, todetermine the software vulnerabilities.

In some embodiments, server 102 may be configured to identify an ECUsoftware update if it is determined that there are softwarevulnerabilities affecting vehicles 104-a, 104-b, and 104-c. Server 102may also generate and send a delta file configured to update software onthe ECUs of the affected vehicles 104-a, 104-b, and 104-c. It iscontemplated that server 102 may generate the delta file in accordancethe processes described above. It is also contemplated that vehicles104-a, 104-b, and 104-c may process the delta file and perform the ECUsoftware update process as described above.

In some embodiments, server 102 may also be configured to determine asecond set of vehicles potentially affected by the softwarevulnerabilities identified above. The second set of vehicles may includevehicles 104-d and 104-e that are not a part of the group of vehiclesthat initially reported the ECU activity data to server 102 (e.g.,vehicles 104-d and 104-e may be unable to connect to server 102 at anearlier time), but may nevertheless contain ECUs that should be updated.Server 102 may identify such vehicles based on records of deployed ECUversion numbers or based on inquiries made to these vehicles (e.g.,server 102 may ask all vehicles 104 to report their ECU software versionnumbers, 3Diff versions, or other identifiers). In some embodiments,server 102 may be configured to send delta files to all vehicles thatare using ECUs that should be updated. In some embodiments, server 102may be configured to push delta files to all vehicles 104 as a way torecalibrate ECUs installed in vehicles 104.

It is contemplated that one or more processors 114 located on vehicles104, upon receiving delta files from server 102, may place the deltafiles into the memory devices of the corresponding ECUs and perform theupdate without interrupting the operations of the ECUs. It is alsocontemplated, however, that in certain situations, one or moreprocessors 114 located on a vehicle 104 may decide to perform the updateopportunistically.

For example, in some embodiments, processor 114 located on vehicle 104-bmay receive a wireless transmission indicating a need to update softwarerunning on ECU 112 in vehicle 104-b. Processor 114 may monitor anoperational status of vehicle 104-b to determine whether vehicle 104-bis in a first mode of operation in which an ECU software update isprohibited. Vehicle 104-b may be in the first mode of operation whenvehicle 104-b cannot establish a stable connection with server 102.Vehicle 104-b may also be in the first mode of operation when thewireless communications strength is below a threshold level.Furthermore, vehicle 104-b may be in the first mode of operation whenvehicle is in a restricted area, or is performing certain operations(e.g., traveling at a speed above a threshold). It is to be understoodthat the examples presented above are for illustrative purposes and arenot meant to limiting. It is contemplated that vehicle 104-b may be inthe first mode of operation due to various other reasons withoutdeparting from the spirit and scope of the present disclosure.

In some embodiments, if processor 114 determines that vehicle 104-b isin the first mode of operation, processor 114 may choose to delay theECU software update process. In some embodiments, processor 114 maystore the received delta file in memory 116. In some embodiments,processor 114 may discard the delta file (which can be requested laterwhen processor 114 is ready to install the ECU software update).

Processor 114 may continue to monitor the operational status of vehicle104-b to determine whether vehicle 104-b transitions into a second modeof operation in which the ECU software update is permitted. In someembodiments, processor 114 may continue to monitor the operationalstatus of vehicle 104-b repeatedly according to a preestablishedinterval (e.g., every 10 minutes). Processor 114 may determine thatvehicle 104-b is in the second mode of operation when, for example,vehicle 104-b enters one of the predetermined safe operating conditions,such as traveling at a speed below a threshold level, operating alow-power or a power-down status, operating in a preselectedenvironmental condition, idling, or the like. Processor 114 may alsodetermine that vehicle 104-b is in the second mode of operation whenvehicle 104-b can establish a stable connection with server 102. Forexample, processor 114 may determine that vehicle 104-b is in the secondmode of operation when the wireless communications strength reachesabove a threshold of strength or the network connection with server 102has an error rate below a threshold.

Once processor 114 determines that vehicle 104-b is in the second modeof operation, processor 114 may enable the ECU software update process,which may proceed as described above. If processor 114 stored a copy ofthe received delta file in memory 116 when it decided to delay the ECUsoftware update process, processor 114 may retrieve the copy of thereceived delta file from memory 116 and write the delta file into memory120 of ECU 112. If processor 114 discarded the delta file when itdecided to delay the ECU software update process, processor 114 may senda message to server 102 to request another copy of the delta file.Processor 114 may receive the delta file in a reply message from server102 and write the delta file into memory 120 of ECU 112 and perform theupdate process as described above.

It is to be understood that while processor 114 may have some discretionregarding delay of the ECU software update process, such a discretionmay not be absolute in some embodiments. For example, in someembodiments, processor 114 may receive a wireless transmission fromserver 102 that indicates the ECU software update is to be performedwith an override status. If the ECU software update is received with anoverride states, processor 114 may not be able to exercise itsdiscretion and may have to update the ECU software regardless of whethervehicle 104-b is in the first mode of operation. It is contemplated thatsuch an update with override status may be utilized to deploy criticalECU updates immediately without delay.

Similarly, as previously described, an ECU software update processutilizing delta files configured in accordance with disclosedembodiments may allow the ECUs to be updated without having to reboot.In some embodiments, however, server 102 may indicate that a given ECUsoftware update is to be performed with a mandatory reboot. If the ECUsoftware update is received with a request to reboot, processor 114 mayinstruct the ECU to perform the update as describe above followed by amandatory reboot.

It will be appreciated from the descriptions above that utilizing deltafiles configured in accordance with disclosed embodiments may improvethe efficiencies of ECU update processes. These delta files are smallerin size because them don't need to include the entire ECU software.These delta files can also be written directly to ECU memory spaces,which may reduce both memory space and power consumptions. These deltafiles may also be implemented as self-contained packages that includecode changes, variable changes, and memory address changes. These deltafiles may further contain startup code that can be executed by the ECUs,allowing the delta files to be position-independent and allowing theECUs to carry out the update without having to change their originalsoftware or interrupting their current operations.

The virtual file system (VFS) configured in accordance with disclosedembodiments may also improve the efficiencies of ECU update processes.The VFS may be utilized to manage and track different versions of theECU software, and may support update as well as roll back operationsdescribed above. Moreover, it is noted that using the VFS configured inaccordance with disclosed embodiments to manage and track differentversions of the ECU software may require very little space overheadbecause only the differences (deltas) between the versions need to betracked and no duplicated code need to be recorded.

Furthermore, it is noted that utilizing delta files managed by the VFSconfigured in accordance with disclosed embodiments may eliminate theneed to restart the ECUs after the update. Specifically, delta filesconfigured in accordance with disclosed embodiments may implement codechanges, variable changes, and memory address changes all at once,effectively linking the original ECU software and the delta filestogether to form a functional equivalent of the updated ECU softwarewithout the need for a reboot.

It is contemplated the ECU software update process configured inaccordance with disclosed embodiments may also be utilized to updatevirtual ECUs. A virtual ECU may refer to an ECU that is implemented on avirtual machine or a hypervisor residing on a shared hardware resource.It is contemplated that substantially the same ECU software updateprocess may be utilized to update a virtual ECU software withoutdeparting from the spirit and scope of the present disclosure.

Referring now to FIG. 10, an exemplary flowchart showing a process 1000for generating an update package for updating software on an ECU in avehicle is shown. In accordance with above embodiments, process 1000 maybe implemented in system 100 depicted in FIG. 1A. For example, process1000 may be performed by server 102. As discussed above, the updatepackage (e.g., based on software attributes such as source, map,binaries) may be obtained from the production toolchain 122. Further, inconnection with generating the update package, reference may be made todependency management system 126. In particular, dependency managementsystem 126 may be checked to determine if the new update package isassociated with an ECU that is interdependent with other ECUs in avehicle, and if so, whether software updates should also be performedfor the interdependent ECUs. As discussed above, dependency managementsystem 126 may maintain lists or mappings of ECUs, so thatinterdependencies between ECUs can be confirmed before software updatesare performed. In some embodiments, the lists or mappings are also basedon production toolchain 122.

At step 1002, process 1000 may access multiple attributes of a softwareupdate (e.g., software update 202 shown in FIG. 2) to be stored on anECU in a vehicle (e.g., ECU 112 in vehicle 104-b). At step 1004, process1000 may access multiple corresponding of attributes of the currentsoftware stored on the ECU in the vehicle (e.g., current software 204stored on ECU 112 in vehicle 104-b). At step 1006, process 1000 maycompare the attributes of the software update with the correspondingattributes of the current software. At step 1008, process 1000 maygenerate a delta file representing differences between the attributes ofthe software update and the corresponding attributes of the currentsoftware. At step 1010, process 1000 may integrate startup code into thedelta file. In some embodiments, the startup code may enable the deltafile to self-execute in the ECU in the vehicle.

In some embodiments, at step 1006, process 1000 may compare attributesincluding the source, the binary code, and the map file of the softwareupdate with their corresponding attributes of current software. Asdiscussed above, representing the software update and the currentsoftware in terms of their source, binary code, and map file attributesmay be referred to as a “grid” representation, and a comparison betweena grid representing the software update and a grid representing thecurrent software may be referred to as a three-dimensional differential(or 3Diff) comparison. In some embodiments, the attributes beingcompared may be identified at least partially based on the programminglanguage used to develop the software update, at least partially basedon a binary file resolution of the software update, or at leastpartially based on a map file associated with the software update.

In some embodiments, at step 1008, process 1000 may utilize such a 3Diffcomparison to produce a delta file that may include data representingchanges made to the binary and/or the source code of the ECU, changesmade to one or more variables used by the ECU, and changes made tomemory addresses referenced by the ECU. For example, in someembodiments, at step 1008-1, process 1000 may apply a first grid to thesoftware update, and, at step 1008-2, process 1000 may apply a secondgrid to the current software stored on the ECU. The first grid mayrepresent the software update in one or more dimensions, includingbinary data associated with the software update, a source attributeassociated with the software update, and/or a map file associated withthe software update. At step 1008-3, process 1000 may identify theattributes of the software update and the corresponding attributes ofthe current software based on a comparison of the first and secondgrids.

In some embodiments, at step 1010, process 1000 may integrate thestartup code configured to initialize a runtime library of delta file.In some embodiments, process 1000 may configure the startup code toupdate a program counter of the ECU to skip certain code contained inthe current software and execute certain code contained in the deltafile instead. The startup code may determine if old contents of thememory in the ECU need to be erased. Further, the startup code mayextract the variable data from the delta file and place the variabledata into a random-access memory accessible to the ECU. In someembodiments, the startup code may extract the code for updating memoryaddresses and update the memory addresses in the ECU.

Referring now to FIG. 11, an exemplary flowchart showing a process 1100for receiving and integrating a delta file in a vehicle shown. Inaccordance with above embodiments, process 1100 may be implemented insystem 100 depicted in FIG. 1A. For example, process 1100 may beperformed by ECU 112 in vehicle 104-b.

At step 1102, process 1100 may receive a delta file (e.g., delta file206) comprising a plurality of deltas (or changes) corresponding to asoftware update for software on the ECU (e.g., ECU 112) and startup code(e.g., startup code 208) for executing the delta file in the ECU. Atstep 1104, process 1100 may execute the delta file, based on the startupcode, in the ECU. In some embodiments, the startup code may beconfigured in accordance with above embodiments, and at step 1106,process 1100 may update memory addresses in the ECU to correspond to theplurality of deltas from the delta file.

In some embodiments, the delta file may be written to a memory device(e.g., memory device 120 as depicted in FIG. 1A) associated with theECU. In some embodiments, the delta file may be bootstrapped from thememory device to a random access memory associated with the ECU.Further, the delta file may be executable by the ECU without affectingcontinued operations of the ECU, or without rebooting the ECU.

In some embodiments, the delta file may include position-independentexecutable code segments (e.g., code changes 210 as depicted in FIG. 4)to be executed by the ECU. The startup code may be configured to updatea program counter of the ECU to execute instructions contained in thedelta file, as depicted in FIG. 4.

In some embodiments, the software on the ECU may be mapped to multiplefunctional units and the ECU may be configured to utilize a virtual filesystem (e.g., VFS 230, as depicted in FIG. 5-8) to manage and track oneor more versions these functional units, as depicted in FIG. 5-8. Thestartup code may be configured to link the delta file to a specificfunction in the VFS associated with the delta file, as depicted in FIG.5-8.

Referring now to FIG. 12, an exemplary flowchart showing a process 1200for performing updates to ECU software while an ECU of a vehicle isoperating is shown. In accordance with above embodiments, process 1200may be implemented in system 100 depicted in FIG. 1A. For example,process 1200 may be performed by ECU 112 in vehicle 104-b.

At step 1202, process 1200 may receive a software update file for theECU software (e.g., delta file 206) while the ECU of the vehicle (e.g.,ECU 112 of vehicle 104-b) is operating. At step 1204, while the ECU isstill operating, process 1200 may write the software update file into afirst memory location (e.g., the memory location where delta file 206 isstored in FIG. 4) in a memory (e.g., memory 120) of the ECU whilesimultaneously executing a code segment of existing code in a secondmemory location (e.g., the memory location where the current software204 is stored in FIG. 4) in the memory of the ECU. At step 1206, process1200 may update a plurality of memory addresses associated with thememory of the ECU based on the software update file and withoutinterrupting the execution of the code segment currently being executedin the second memory location in the memory of the ECU.

In some embodiments, the software update file for the ECU software mayinclude a delta file with integrated startup code as described above.Process 1200 may, for example, initialize the runtime library beforewriting the software update file into the first memory location of theECU. In some embodiments, process 1200 may be configured to delete, atstep 1208, data representing outdated values of variables referenced bythe ECU upon completion the software update. Further, process 1200 maybe further configured to defragment, at step 1210, the memory (e.g.,memory 120) of the ECU after completing the software update orindependent of the software update (e.g., periodically or as needed).

Referring now to FIG. 13, an exemplary flowchart showing a process 1300for adjusting vehicle ECU software versions is shown. In accordance withabove embodiments, process 1300 may be implemented in system 100depicted in FIG. 1A. For example, process 1300 may be performed by ECU112 in vehicle 104-b.

At step 1302, process 1300 may receive a prompt to adjust the ECU of thevehicle (e.g., ECU 112 of vehicle 104-b) from executing a first versionof ECU software (e.g., Version 0 depicted in FIG. 5) to a second versionof ECU software (e.g., Version 1 depicted in FIG. 5). At step 1304,process 1300 may configure, in response to the prompt and based on adelta file (e.g., delta file 206 depicted in FIG. 5) corresponding tothe second version of ECU software, the second version of ECU softwareon the ECU in the vehicle for execution. At step 1306, process 1300 mayfurther configure, in response to the prompt, the first version of ECUsoftware on the ECU in the vehicle to become non-executable.

In some embodiments, the second version of ECU software may be deployedsubsequent to the first version of ECU software (e.g., as depicted inFIGS. 5-7, and FIG. 9, T1-T3). Alternatively, the second version of ECUsoftware may be deployed prior to the first version of ECU software(e.g., as depicted in FIG. 8 and FIG. 9, T4).

In some embodiments, the ECU software on the ECU is mapped to multiplefunctional units and the ECU is configured to utilize a virtual filesystem (e.g., VFS 230) to manage and track one or more versions of thesefunctional units. At step 1306, process 1300 may update memory addressesin the ECU corresponding to one or more functional units managed by theVFS to make the first version of ECU software non-executable. Further,the second version of ECU software may be the first version of ECUsoftware having one or more functional units disabled by the VFS.

In some embodiments, process 1300 may determine, at step 1308, thatutilization of the memory (e.g., memory 120) of the ECU is above athreshold (e.g., 75% or 90% full). Process 1300 may also identify, atstep 1310, specific contents of the memory of the ECU for deletion. Inaddition, process 1300 may identify contents for deletion based on theircorresponding creation date, version number, file size, or the like. Forexample, an old delta file that has not been used for a long time (e.g.,threshold amount of time) may be a good candidate for deletion. In someembodiments, process 1300 may also choose to replace the entire contentof the memory of the ECU. For example, instead of keeping the originalsoftware plus multiple delta files received over the years, process 1300may decide, at step 1312, to erase the entire content of the memory andreplace it with a clean copy of the most recent ECU software. Process1300 may continue to use the delta file-based update process describedabove for future updates.

Referring now to FIG. 14, an exemplary flowchart showing a process 1400for identifying ECU anomalies in a vehicle is shown. In accordance withabove embodiments, process 1400 may be implemented in system 100depicted in FIG. 1A. For example, process 1400 may be performed by acontroller in the vehicle (e.g., a processor 114 in vehicle 104-b).

At step 1402, process 1400 may monitor data representing real-timeprocessing activity of an ECU (e.g., ECU 112). At step 1404, process1400 may access historical data relating to processing activity of theECU. In some embodiments, the historical data may represent expectedprocessing activity of the ECU. Further, process 1400 may monitoroperations of the ECU to generate the historical data.

At step 1406, process 1400 may compare the real-time processing activitydata with the historical data to identify one or more anomalies in thereal-time processing activity of the ECU. In some embodiments, theanomalies may correspond to specific memory locations used by the ECU.Further, the anomalies may correspond to specific sequences of memorylocations used by the ECU. The anomalies may correspond to at least onepeak in data flow in or out of the ECU. Further, the anomalies maycorrespond to at least one peak in data processing by a processor of theECU. In addition, the anomalies may correspond to at least one anomalyin power consumption of the ECU.

At step 1408, process 1400 may implement a control action for the ECUwhen the at least one anomaly is identified. In some embodiments, thecontrol action may include issuing a prompt to adjust the ECU fromexecuting a first version of ECU software to a second version of ECUsoftware (e.g., rolling back a version of ECU software running on theECU to a prior version of ECU software). The control action also mayinclude sending an alert associated with the ECU. Further, the controlaction may include blocking an instruction sent from the ECU.

In some embodiments, process 1400 may be carried out by an orchestratorin the vehicle (e.g., orchestrator 114, as described above). In someembodiments, the orchestrator may be a separate processing unit from theECU. The orchestrator may be configured to perform the monitoring,accessing, comparing, and implementing for multiple ECUs (e.g., both ECU112 and ECU 118) in the vehicle.

Referring now to FIG. 15, an exemplary flowchart showing a process 1500for identifying ECU anomalies in a vehicle is shown. In accordance withabove embodiments, process 1500 may be implemented in system 100depicted in FIG. 1A. For example, process 1500 may be performed by acontroller in the vehicle (e.g., a processor 114 in vehicle 104-b).

At step 1502, process 1500 may monitor data representing real-timeprocessing activity of an ECU (e.g., ECU 112). At step 1504, process1500 may receive comparable data relating to processing activity of atleast one other ECU deemed comparable in functionality to the ECU. Aspreviously described, in some embodiments, comparable data may includedata obtained in real-time relating to processing activity of other ECUs(e.g., ECU 118) deemed comparable to the ECU (e.g., ECU 112). Comparabledata may include data previously gathered relating to processingactivity of other ECUs deemed comparable to the ECU. In someembodiments, comparable data may be obtained based on rules associatedwith ECU software running on the ECU. Further, comparable data may beobtained based on known valid sequences of execution of ECU softwarerunning on the ECU. In some embodiments, comparable data may be obtainedbased on known potentially malicious sequences of execution of ECUsoftware running on the ECU. In some embodiments, comparable data may beobtained based on a map file associated with ECU software on the ECU.Comparable data may also be obtained based on observational datareceived from other vehicles.

At step 1504, process 1500 may compare the real-time processing activitydata with the comparable data to identify one or more anomalies in thereal-time processing activity of the ECU. In some embodiments, theanomalies may correspond to specific memory locations used by the ECU.In some embodiments, the anomalies may correspond to specific sequencesof memory locations used by the ECU. In some embodiments, the anomaliesmay correspond to at least one peak in data flow in or out of the ECU.The anomalies may correspond to at least one peak in data processing bya processor of the ECU. The anomalies may also correspond to at leastone anomaly in power consumption of the ECU.

At step 1506, process 1500 may implement a control action for the ECUwhen the at least one anomaly is identified. In some embodiments, thecontrol action may include issuing a prompt to adjust the ECU fromexecuting a first version of ECU software to a second version of ECUsoftware (e.g., rolling back a version of ECU software running on theECU to a prior version of ECU software). The control action may alsoinclude sending an alert associated with the ECU. Further, the controlaction may include blocking an instruction sent from the ECU.

Referring now to FIG. 16, an exemplary flowchart showing a process 1600for opportunistically updating ECU software in a vehicle is shown. Inaccordance with above embodiments, process 1600 may be implemented insystem 100 depicted in FIG. 1A. For example, process 1600 may beperformed by a controller in the vehicle (e.g., a processor 114 invehicle 104-b).

At step 1602, process 1600 may include receiving a wireless transmissionindicating a need to update software running on an ECU (e.g., ECU 112).At step 1604, process 1600 may monitor an operational status of thevehicle to determine whether the vehicle is in a first mode of operationin which an ECU software update is prohibited.

At step 1606, process 1600 may delay the ECU software update when theoperational status is prohibited. Process 1600 may store the ECUsoftware update in a memory located on the vehicle for delayed updatewhen the vehicle is in the first mode of operation. Alternatively, insome embodiments, process 1600 may discard the ECU software update whenthe vehicle is in the first mode of operation (process 1600 may requestthe ECU software update at a later time).

At step 1608, process 1600 may continue to monitor the operationalstatus of the vehicle to determine whether the vehicle is in a secondmode of operation in which the ECU software update is permitted. Process1600 may repeatedly monitor the operational status of the vehicleaccording to a preestablished interval. In some embodiments, the vehiclemay be determined to be in the second mode of operation when the vehicleis operating in a predetermined safe operating condition. In someembodiments, the vehicle may be determined to be in the second mode ofoperation when the vehicle is in a power-down or an idling status. Thevehicle may be determined to be in the second mode of operation when thevehicle has had a period of wireless communications strength above athreshold of strength. In some embodiments, the vehicle may bedetermined to be in the second mode of operation when the vehicle isoperating in a preselected environmental condition. In some embodiments,the vehicle may be determined to be in the second mode of operation whenthe vehicle has a network connection with an error rate below athreshold.

At step 1610, process 1600 may enable updating of the ECU with thedelayed ECU software update when it is determined that the vehicle is inthe second mode of operation. If process 1600 stored a copy of the ECUsoftware update in a memory located on the vehicle, process 1600 mayretrieve the copy of the ECU software update from the memory and proceedwith the update process. If process 1600 discarded the ECU softwareupdate when the vehicle is in the first mode of operation, process 116may send a message to a remote server that can provide a copy of the ECUsoftware update, receive the ECU software update in reply, and installthe ECU software update on the ECU when the vehicle is in the secondmode of operation.

In some embodiments, process 1600 may determine, at step 1612, whetherthe wireless transmission indicating the need to update the softwareincludes an indication of that the update is with an override status. Ifthe wireless transmission includes an indication that update is with anoverride status, process 1600 may update the ECU software immediately,at step 1614, regardless of whether the vehicle is in the first mode ofoperation.

Referring now to FIG. 17, an exemplary flowchart showing a process 1700for automatically providing updates to one or more vehicles is shown. Inaccordance with above embodiments, process 1700 may be implemented insystem 100 depicted in FIG. 1A. For example, process 1700 may beperformed by server 102.

At step 1702, process 1700 may receive ECU activity data from a vehicle(e.g., activity date of ECU 112 in vehicle 104-b). In some embodiments,the ECU activity data may correspond to actual operation of the ECU inthe vehicle.

At step 1704, process 1700 may determine, based on the ECU activitydata, a software vulnerability affecting the vehicle. In someembodiments, the software vulnerability may be determined based on adeviation between the received ECU activity data and expected ECUactivity data.

At step 1706, process 1700 may identify an ECU software update based onthe determined software vulnerability. At step 1708, process 1700 maysending a delta file configured to update software on the ECU with asoftware update corresponding to the identified ECU software update.

In some embodiments, process 1700 may be performed on a group ofvehicles. In some embodiments, the group of vehicles may include a firstset of vehicles (e.g., vehicles 104-a, 104-b, and 104-c) having a commonECU type. In some embodiments, process 1700 may determine the softwarevulnerability by determining a software vulnerability that affects thefirst set of vehicles.

In some embodiments, process 1700 may determine, at step 1710, a secondset of vehicles potentially affected by the software vulnerability. Insome embodiments, process 1700 may send delta files to both the firstset and the second set of vehicles at step 1712. Further, the deltafiles may include an installation agent (e.g., startup code aspreviously described) for installing the ECU software update on the ECU.In addition, the delta files may be configured to recalibrate ECUs inmultiple vehicles. Process 1700 may also include instructing the ECUs ofthe vehicles to reboot in response to the ECU software update.

Referring now to FIG. 18, an exemplary flowchart showing a process 1800for reporting ECU errors to a remote monitoring server is shown. Inaccordance with above embodiments, process 1800 may be implemented insystem 100 depicted in FIG. 1A. For example, process 1800 may beperformed by a processor in a communications network of a vehicle (e.g.,a processor 114 in vehicle 104-b) or by server 102.

At step 1802, process 1800 may receive data from an orchestrator withinthe vehicle. The orchestrator may be configured to electronically poll aplurality of ECUs in the vehicle (e.g., ECUs 112 and 118 in vehicle104-b) and determine if they are properly responding to the poll. Insome embodiments, the data may be received directly from the ECUs (i.e.,without a separate orchestrator). Further, as discussed above, theorchestrator may be configured to perform one or more machine learningor artificial intelligence functions to the reported data from the ECUs,to determine whether the ECUs are operating within an allowed orexpected envelope of operational attributes (e.g., CPU processing,memory contents, memory accessing patterns, driver behavior attributes,etc.).

At step 1804, process 1800 involve generating a statistical model of theoperational data based on one or more runtime attributes. As discussedabove, this may be part of a first tier of a multi-tier model for theECUs. The statistical model may be based on multivariate or univariatetime series analysis, and may factor in attributes such as CPU or memoryusage, memory sequences being accessed, cache contents or accessinghistory, page faults, etc. The statistical model may further be based ona correlation of running processes at a footprint of memory at adiscrete time slice. In addition, the statistical model may be based ona frequency or execution path of software running on the ECU (e.g.,based on the VFS). Further, the statistical model may be based on driverbehavioral attributes (e.g., sharp or soft breaking, acceleration, orturning, or frequency of breaking, acceleration, or turning, etc.). Inaddition, the statistical model may account for OBD messages, such asOBD error messages.

At step 1806, process 1800 involve receiving live, runtime updates fromthe one or more ECUs being monitored. As discussed above, this may bebased on a push or pull function. The data from the ECUs may be obtainedby an orchestrator in the vehicle or a remote server (e.g., server 102).

At step 1808, process 1800 may involve identifying an ECU errorassociated with an ECU based on the received data. In some embodiments,the ECU error is determined by comparing the statistical model (asdescribed above) to the live, runtime updates from the ECUs. In someembodiments, the collected data may include identifiers of the ECUs. Thecollected data may include data indicating a last-known poll of theECUs. In some embodiments, process 1800 may determine a probability ofdowntime for the ECUs based on the collected data. At step 1808, process1800 may wirelessly send a report (identifying the ECU and theidentified ECU error) from the vehicle to the remote monitoring server(e.g., server 102) based on the collected data.

In some embodiments, process 1800 may poll the ECUs by sending a requestmessage to the ECUs and determine if the ECUs are properly responding tothe poll. In some embodiments, process 1800 may identify ECU errorsbased on an ECU failing to respond to the poll. Process 1800 may alsoidentify ECU errors based on an ECU incorrectly responding to the poll.In some embodiments, process 1800 may identify ECU errors based on adetected stack overflow in an ECU.

In some embodiments, process 1800 may poll the ECUs to determine whetherthe ECUs are executing ECU software that has a potential impact on oneor more hardware components of the vehicle. Process 1800 may determinewhether the ECUs are executing ECU software that has a potential impactbased on one or more statistical analysis performed on data reported bythe one or more hardware components of the vehicle.

In step 1810, process 1800 may further involve wirelessly sending areport from the vehicle to a server (e.g., server 102) identifying theECU and the ECU error that has been detected. Subsequently, server 102may perform further analysis on the ECU and error that was identified.In some embodiments, server 102 may further receive samples of theruntime data collected from the ECU, an identification of a delta filerunning at the ECU, a software version of the ECU, or actual contents ofthe ECU memory, etc.

Process 1800 may also, at step 1812, determine whether the potentialimpact is detrimental. In such a situation, at step 18134, a controlaction may be implemented for the ECU. For example, the ECU may beadjusted using the delta-file-based software update process describedabove. Further, the ECU may be instructed to perform a roll-back to aprior version of ECU software or perform an update to a new version ofECU software. In addition, in some embodiments the control action mayinclude placing the ECU in a safe mode of operation with certainfunctions (e.g., network communications, memory modification, etc.) arelimited.

It is to be understood that the disclosed embodiments are notnecessarily limited in their application to the details of constructionand the arrangement of the components and/or methods set forth in thefollowing description and/or illustrated in the drawings and/or theexamples. The disclosed embodiments are capable of variations, or ofbeing practiced or carried out in various ways.

The disclosed embodiments may be implemented in a system, a method,and/or a computer program product. The computer program product mayinclude a computer readable storage medium (or media) having computerreadable program instructions thereon for causing a processor to carryout aspects of the present disclosure.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present disclosure may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowcharts and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowcharts or block diagrams may represent a software program, segment,or portion of code, which comprises one or more executable instructionsfor implementing the specified logical function(s). It should also benoted that, in some alternative implementations, the functions noted inthe block may occur out of the order noted in the figures. For example,two blocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The descriptions of the various embodiments of the present disclosurehave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It is expected that during the life of a patent maturing from thisapplication many relevant virtualization platforms, virtualizationplatform environments, trusted cloud platform resources, cloud-basedassets, protocols, communication networks, security tokens andauthentication credentials will be developed and the scope of the theseterms is intended to include all such new technologies a priori.

It is appreciated that certain features of the disclosure, which are,for clarity, described in the context of separate embodiments, may alsobe provided in combination in a single embodiment. Conversely, variousfeatures of the disclosure, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or inany suitable subcombination or as suitable in any other describedembodiment of the disclosure. Certain features described in the contextof various embodiments are not to be considered essential features ofthose embodiments, unless the embodiment is inoperative without thoseelements.

Although the disclosure has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, it is intended to embrace all such alternatives,modifications and variations that fall within the spirit and broad scopeof the appended claims.

What is claimed is:
 1. A non-transitory computer readable mediumincluding instructions that, when executed by at least one processor,cause the at least one processor to perform operations for identifyingcontroller anomalies, comprising: monitoring data representing real-timeprocessing activity of a controller; receiving comparable data relatingto processing activity of at least one other controller deemedcomparable in functionality to the controller; comparing the real-timeprocessing activity data with the comparable data, to identify, based ona deviation between the real-time processing activity data and thecomparable data, at least one anomaly in the real-time processingactivity of the controller; and implementing a control action for thecontroller when the at least one anomaly is identified based on thedeviation; wherein: software on the controller is mapped to a pluralityof functional units, and the controller is configured to utilize avirtual file system (VFS) to manage and track one or more versions ofeach of the plurality of functional units, and the control actionincludes updating memory addresses of one or more functional unitsmanaged by the VFS based on a delta file corresponding to a secondversion of the software on the controller, wherein the delta filecomprises position-independent code and startup code for updating thememory addresses.
 2. The non-transitory computer readable medium ofclaim 1, wherein the control action includes issuing a prompt to adjustthe controller from executing a first version of the software on thecontroller to the second version of the software on the controller. 3.The non-transitory computer readable medium of claim 1, wherein thecomparing uses a machine learning technique to identify the at least oneanomaly in the real-time processing activity of the controller.
 4. Thenon-transitory computer readable medium of claim 1, wherein thecomparable data comprises a model or map of controller functions.
 5. Thenon-transitory computer readable medium of claim 1, wherein thecomparable data comprises data obtained in real-time relating toprocessing activity of a plurality of other controllers deemedcomparable to the controller.
 6. The non-transitory computer readablemedium of claim 1, wherein the comparable data comprises data previouslygathered relating to processing activity of a plurality of othercontrollers deemed comparable to the controller.
 7. The non-transitorycomputer readable medium of claim 1, wherein receiving the comparabledata further comprises: obtaining the comparable data based on rulesassociated with controller software running on the controller.
 8. Thenon-transitory computer readable medium of claim 1, wherein receivingthe comparable data further comprises: obtaining the comparable databased on known valid sequences of execution of the software on thecontroller.
 9. The non-transitory computer readable medium of claim 1,wherein receiving the comparable data further comprises: obtaining thecomparable data based on known potentially malicious sequences ofexecution of the software on the controller.
 10. The non-transitorycomputer readable medium of claim 1, wherein receiving the comparabledata further comprises: obtaining the comparable data based on a mapfile associated with the software on the controller.
 11. Thenon-transitory computer readable medium of claim 1, wherein thecontroller is associated with a device, and wherein receiving thecomparable data further comprises: receiving observational data fromother devices; and obtaining the comparable data based on theobservational data.
 12. The non-transitory computer readable medium ofclaim 1, wherein the at least one anomaly corresponds to specific memorylocations used by the controller.
 13. The non-transitory computerreadable medium of claim 1, wherein the at least one anomaly correspondsto specific sequences of memory locations used by the controller. 14.The non-transitory computer readable medium of claim 1, wherein the atleast one anomaly corresponds to at least one peak in data flow in orout of the controller.
 15. The non-transitory computer readable mediumof claim 1, wherein the at least one anomaly corresponds to at least onepeak in data processing by a processor of the controller.
 16. Thenon-transitory computer readable medium of claim 1, wherein the at leastone anomaly corresponds to at least one anomaly in power consumption ofthe controller.
 17. The non-transitory computer readable medium of claim1, wherein the control action comprises at least one of: sending analert associated with the controller, blocking an instruction sent fromthe controller, or rolling back a version of the software on thecontroller to a prior version of software.
 18. A system for identifyingcontroller anomalies, the system comprising: one or more processors; andone or more memories having instructions that, when executed by the oneor more processors, cause the one or more processors to perform theoperations of: monitoring data representing real-time processingactivity of the controller; receiving comparable data relating toprocessing activity of at least one other controller deemed comparablein functionality to the controller; comparing the real-time processingactivity data with the comparable data, to identify, based on adeviation between the real-time processing activity data and thecomparable data, at least one anomaly in the real-time processingactivity of the controller; and implementing a control action for thecontroller when the at least one anomaly is identified based on thedeviation; wherein: software on the controller is mapped to a pluralityof functional units, and the controller is configured to utilize avirtual file system (VFS) to manage and track one or more versions ofeach of the plurality of functional units, and the control actionincludes updating memory addresses of one or more functional unitsmanaged by the VFS based on a delta file corresponding to a secondversion of the software on the controller, wherein the delta filecomprises position-independent code and startup code for updating thememory addresses.
 19. The system of claim 18, wherein the control actioncomprises issuing a prompt to adjust the controller from executing afirst version of the software on the controller to the second version ofthe software on the controller.
 20. A computer-implemented method foridentifying controller anomalies, the method comprising: monitoring datarepresenting real-time processing activity of a controller; receivingcomparable data relating to processing activity of at least one othercontroller deemed comparable in functionality to the controller;comparing the real-time processing activity data with the comparabledata, to identify, based on a deviation between the real-time processingactivity data and the comparable data, at least one anomaly in thereal-time processing activity of the controller; and implementing acontrol action for the controller when the at least one anomaly isidentified based on the deviation; wherein: software on the controlleris mapped to a plurality of functional units, and the controller isconfigured to utilize a virtual file system (VFS) to manage and trackone or more versions of each of the plurality of functional units, andthe control action includes updating memory addresses of one or morefunctional units managed by the VFS based on a delta file correspondingto a second version of the software on the controller, wherein the deltafile comprises position-independent code and startup code for updatingthe memory addresses.